Verification Of UID(0) Requirement For Started Tasks To Comply With GAO Audit Question And Top Secret
Article ID: 189516
Updated On:
Products
Issue/Introduction
Verification Of Mainframe Started tasks that require UID(0) zero
ACID DESCRIPTION
BBIPAS BBI PASS MANAGER
CCSSTC CA7 STARTED TASK ACID
CRON OMVS/CRON (task scheduler)
FTPA Kernal Daemon for FTP
MFRSDBS Orcale10g MFRS DBASE SERVICES
MFRTDBS Orcale10g MFRT DBASE SERVICES
MVRPDBS Orcale10g MVRP DBASE SERVICES
MVSTCP z/OS TCP/IP STC
ORATSTC ORACLE10G SYT STC ACID
PAGENT TCPIP POLICY AGENT
P31BMC Mainview
P31MSM CA Chorus/MSM
P31NMD NETMASTER Report Center
P311DFG BATCH/DASD VOLUME CONFIG-DEFRAG
P39SCA7 CA7 PROD CONTROL BATCH ACID
SSHD2 SSH TECTIA SERVER
WILYZOS WILYZOS STC – CA CROSS Enterprise APM agent
ZFS ZFS ACID (omvs zs file system manager)
Environment
Release : 16.0
Component : CA TOP SECRET
Resolution
CCSSTC CA7 STARTED TASK ACID
P39SCA7 CA7 PROD CONTROL BATCH ACID
P31MSM CA Chorus/MSM
P31NMD NETMASTER Report Center
** There isn't anything in the CA WORKLOAD AUTOMATION CA 7® EDITION 12.1 documentation where UID(0) is required. Here are the commands for Top Secret:
CA Workload Automation CA 7 Edition requires an ACID definition to execute under CA Top Secret® security. This definition identifies CA WA CA 7 Edition as a started task, names the procedure from which CA WA CA 7 Edition executes, and associates the CA WA CA 7 Edition facility with the CA WA CA 7 Edition ACID.
This command has the following format:
TSS CREATE(CA7ONL) NAME('CA 7 ONLINE ACID') FAC(STC,BATCH) +
TYPE(USER) PASS(NOPW) DEPT(CA7OPS) MASTFAC(CA7)
TSS PERMIT(CA7ONL) ACID(acid1)
Where acid1 is one of the acids that you want to use for scheduled batch jobs through CA WA CA 7 Edition. Do this for each acid that is used for scheduled batch jobs through CA WA CA 7 Edition.
Though not recommended, if you want to allow the CA7ONL acid to submit jobs under any ACID and not define each separately, add the NOSUBCHK attribute to the CA7ONL ACID.
The following command adds the CA WA CA 7 Edition ACID to the CA Top Secret Started Task facility and identifies the CA WA CA 7 Edition procedure name.
TSS ADDTO(STC) PROCNAME(CA7ONL) ACID(CA7ONL)
Define ICOM to CA Top Secret
The CA Workload Automation CA 7 Edition Independent Communications Manager (ICOM) must also be defined to CA Top Secret®. ICOM handles SMF data for jobs that are submitted through CA WA CA 7 Edition, and therefore requires an ACID to execute in a CA Top Secret secured environment. The following command example may be used to define ICOM to CA Top Secret.
This command has the following format:
TSS CREATE(CA7ICOM) NAME('CA 7 ICOM') FAC(STC) TYPE(USER) +
PASS(NOPW) DEPT(CA7OPS) MASTFAC(CA7)
TSS PERMIT(CA7ICOM) ACID(acid1)
The following command adds the ICOM ACID to the CA Top Secret Started Task Facility and identifies the ICOM procedure name.
TSS ADDTO(STC) PROCNAME(CA7ICOM) ACID(CA7ICOM)
Where acid1 is one of the acids that you want to use for scheduled batch jobs through CA WA CA 7 Edition. Do this for each acid that is used for scheduled batch jobs through CA WA CA 7 Edition.
Though not recommended, if you want to allow the CA7ICOM acid to submit jobs under any ACID and not define each separately, add the NOSUBCHK attribute to the CA7ICOM ACID.
** The following links to Chorus Software Manager (formerly MSM) documentation explain the prerequisites and how to set up CA CSM without UID(0) in Top Secret:
Set Up CA CSM User ID Without UID(0) Prerequisites
Set Up CA CSM User ID Without UID(0) for CA Top Secret for z/OS
** The CA NETMASTER® SHARED CONTENT LIBRARY 12.2 documentation gives the commands (TSS, ACF2, and RACF) to set up the OMVS segments for region STCs:
Set Up OMVS Segment for Region STCs
The TSS command has UID(nnn), which indicates that 0 is not required.
** For the non Broadcom/CA products, check with the product vendor to see if their respective product requires UID(0) on the region acid.
Feedback
